Avatar of LateNaite
Flag for United States of America asked on

Test authentication against Azure AD Server

Just wondering if anyone knows how I can test some pilot users against the  new Azure Active Directory for authentication before we migrate every users from on-premise AD servers to Azure AD servers.  We were able to replicate the AD and DNS database from the on-prem servers to Azure but before moving everything one to Azure, we would like to test authentication first with 1 or 2 users to make Azure is working just fine before we migrate everything and decommission the on-premise AD servers.  Thanks!

AzureActive DirectoryDNS

Avatar of undefined
Last Comment

8/22/2022 - Mon
Hayes Jupe

? So just to clarify, you setup servers within Azure (as VM's) and then promoted them to be DC's ? That's what it sounds like your saying.

you just need to be careful with your terminology - as Azure AD (or AAD as its commonly abbreviated to) is a completely different product/technology to full/traditional domain controllers (no matter where they running)

Thanks Hayes for the quick response.
Yes we have set up new Azure AD servers but they are running as a tertiary AD/DNS server.  Not promoted yet until we migrate all users.  Wanted a way to test it with it as tertiary AD/DNS server if that is possible.  Thanks!
Hayes Jupe

ok, so - there is no such thing a secondary or tertiary domain controller...  all DC's are equal (and yes, technical people will state correctly that there are 5 FSMO roles which are unique in the forest/domain - but these are for specific purposes - and not relevant here). Which DC is used by users (or services etc) is determined by AD sites and services configuration. In order to be DC's - they must have been promoted to be DC's - that's how servers become DC's.

There is such a thing as secondary and tertiary DNS - as the order you specify them in DCHP or manually is the order they are utilised in - so the terminology is correct for that.

sorry to be pedantic - but these distinctions are important.

There's 2 things to test here
1) Authentication occuring on your new DC's
2) Network connectivity from on prem to your new DC's

Additionally, you will want to check if anything else is using your existing DC's with hard-coded names or IP's - for LDAP lookups or the like.

There's a couple of ways you can go about this:
1) Ensure you have an AD site correctly configured for your Azure IP range
2) Look for event ID 4624 in the security logs of the new DC's - this will show you logons that are occurring against that DC
3) Logon to a server or workstation you have within azure - if the AD site is configured correctly, you would expect that logon to utilise one of your azure-based DC's. This can be verified by checking for the event log entries on the DC's or by looking at the logonServer variable on the workstation/server you logged on from (or both)
4) Outside of hours, shutdown your on-prem DC's (temporarily) and update DNS on a test workstation - This assumes you are not a 24x7 operation. If you are not, this can act as a very quick test to verify and give confidence that the environment will work once the on-prem DC's are shutdown for good
5) if you think you may have LDAP and other services performing lookups to your existing DC's - this can be identified by turing up logging as specified here - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/configure-ad-and-lds-event-logging

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

Thanks for the quick reponse again Hayes.

Yes clients are using DHCP and we will change the DNS order to point to Azure DNS first for the pilot site.  Unfortunately, they have 5 sites and are 24x7 and was trying to avoid shutting the on-prem to avoid any issues on-prem and also unfortunately, Azure is a new environment and the only Virtual Machines now on Azure is the two new Azure AD/DNS servers so there is not a new VM to test authentication. Even then, I still don't think that would be a valid test for on-prem users to authenticate against the Azure new AD servers.  All connectivity is there via site to site VPCs and we tested all replication already and that is working fine.

If there is no other way to test, we may have to shutdown the on-prem after hours (which we plan to test anyway withe first site - which has less amount of users).

Hayes Jupe

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Awesome, will try the options you mentioned Hayes. thanks a lot!